fuzz: added fuzzer for certificate verification

This also adds a reproducer for CVE-2019-3829.

Resolves: #694

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

8 files changed, 286 insertions, 2 deletions

diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index 4af73bc095..32d64d6abc 100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -9,6 +9,7 @@ LDADD = ../gl/libgnu.la ../lib/libgnutls.la \
  $(LIBS)
 
 FUZZERS = \
+ gnutls_x509_verify_fuzzer$(EXEEXT) \
  gnutls_base64_decoder_fuzzer$(EXEEXT) \
  gnutls_base64_encoder_fuzzer$(EXEEXT) \
  gnutls_client_fuzzer$(EXEEXT) \
@@ -31,6 +32,7 @@ FUZZERS = \
 
 check_PROGRAMS = $(FUZZERS)
 
+gnutls_x509_verify_fuzzer_SOURCES = gnutls_x509_verify_fuzzer.c main.c fuzzer.h
 gnutls_base64_decoder_fuzzer_SOURCES = gnutls_base64_decoder_fuzzer.c main.c fuzzer.h
 gnutls_base64_encoder_fuzzer_SOURCES = gnutls_base64_encoder_fuzzer.c main.c fuzzer.h
 gnutls_client_fuzzer_SOURCES = gnutls_client_fuzzer.c main.c fuzzer.h mem.h certs.h
diff --git a/fuzz/gnutls_x509_verify_fuzzer.c b/fuzz/gnutls_x509_verify_fuzzer.c
new file mode 100644
index 0000000000..645075150a
--- /dev/null
+++ b/fuzz/gnutls_x509_verify_fuzzer.c
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+#include <assert.h>
+#include <stdint.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "fuzzer.h"
+
+unsigned char _ca_der[] = {
+  0x30, 0x82, 0x05, 0xe2, 0x30, 0x82, 0x04, 0xca, 0xa0, 0x03, 0x02, 0x01,
+  0x02, 0x02, 0x10, 0x27, 0x53, 0xf8, 0x06, 0xfe, 0x91, 0x37, 0x32, 0x2f,
+  0x5b, 0x40, 0x9f, 0x1c, 0x31, 0x87, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81,
+  0xca, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
+  0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49,
+  0x6e, 0x63, 0x2e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b,
+  0x13, 0x16, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x54,
+  0x72, 0x75, 0x73, 0x74, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
+  0x31, 0x3a, 0x30, 0x38, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x31, 0x28,
+  0x63, 0x29, 0x20, 0x32, 0x30, 0x30, 0x36, 0x20, 0x56, 0x65, 0x72, 0x69,
+  0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x20, 0x2d,
+  0x20, 0x46, 0x6f, 0x72, 0x20, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+  0x7a, 0x65, 0x64, 0x20, 0x75, 0x73, 0x65, 0x20, 0x6f, 0x6e, 0x6c, 0x79,
+  0x31, 0x45, 0x30, 0x43, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x3c, 0x56,
+  0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x6c, 0x61, 0x73,
+  0x73, 0x20, 0x33, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x50,
+  0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
+  0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
+  0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x2d, 0x20, 0x47, 0x35, 0x30,
+  0x1e, 0x17, 0x0d, 0x31, 0x30, 0x30, 0x32, 0x30, 0x38, 0x30, 0x30, 0x30,
+  0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x32, 0x30, 0x37,
+  0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x81, 0xb4, 0x31, 0x0b,
+  0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+  0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65,
+  0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+  0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x16, 0x56,
+  0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x54, 0x72, 0x75, 0x73,
+  0x74, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, 0x3b, 0x30,
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x32, 0x54, 0x65, 0x72, 0x6d,
+  0x73, 0x20, 0x6f, 0x66, 0x20, 0x75, 0x73, 0x65, 0x20, 0x61, 0x74, 0x20,
+  0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e,
+  0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
+  0x2f, 0x72, 0x70, 0x61, 0x20, 0x28, 0x63, 0x29, 0x31, 0x30, 0x31, 0x2e,
+  0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x56, 0x65, 0x72,
+  0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20,
+  0x33, 0x20, 0x43, 0x6f, 0x64, 0x65, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69,
+  0x6e, 0x67, 0x20, 0x32, 0x30, 0x31, 0x30, 0x20, 0x43, 0x41, 0x30, 0x82,
+  0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf5, 0x23, 0x4b, 0x5e, 0xa5,
+  0xd7, 0x8a, 0xbb, 0x32, 0xe9, 0xd4, 0x57, 0xf7, 0xef, 0xe4, 0xc7, 0x26,
+  0x7e, 0xad, 0x19, 0x98, 0xfe, 0xa8, 0x9d, 0x7d, 0x94, 0xf6, 0x36, 0x6b,
+  0x10, 0xd7, 0x75, 0x81, 0x30, 0x7f, 0x04, 0x68, 0x7f, 0xcb, 0x2b, 0x75,
+  0x1e, 0xcd, 0x1d, 0x08, 0x8c, 0xdf, 0x69, 0x94, 0xa7, 0x37, 0xa3, 0x9c,
+  0x7b, 0x80, 0xe0, 0x99, 0xe1, 0xee, 0x37, 0x4d, 0x5f, 0xce, 0x3b, 0x14,
+  0xee, 0x86, 0xd4, 0xd0, 0xf5, 0x27, 0x35, 0xbc, 0x25, 0x0b, 0x38, 0xa7,
+  0x8c, 0x63, 0x9d, 0x17, 0xa3, 0x08, 0xa5, 0xab, 0xb0, 0xfb, 0xcd, 0x6a,
+  0x62, 0x82, 0x4c, 0xd5, 0x21, 0xda, 0x1b, 0xd9, 0xf1, 0xe3, 0x84, 0x3b,
+  0x8a, 0x2a, 0x4f, 0x85, 0x5b, 0x90, 0x01, 0x4f, 0xc9, 0xa7, 0x76, 0x10,
+  0x7f, 0x27, 0x03, 0x7c, 0xbe, 0xae, 0x7e, 0x7d, 0xc1, 0xdd, 0xf9, 0x05,
+  0xbc, 0x1b, 0x48, 0x9c, 0x69, 0xe7, 0xc0, 0xa4, 0x3c, 0x3c, 0x41, 0x00,
+  0x3e, 0xdf, 0x96, 0xe5, 0xc5, 0xe4, 0x94, 0x71, 0xd6, 0x55, 0x01, 0xc7,
+  0x00, 0x26, 0x4a, 0x40, 0x3c, 0xb5, 0xa1, 0x26, 0xa9, 0x0c, 0xa7, 0x6d,
+  0x80, 0x8e, 0x90, 0x25, 0x7b, 0xcf, 0xbf, 0x3f, 0x1c, 0xeb, 0x2f, 0x96,
+  0xfa, 0xe5, 0x87, 0x77, 0xc6, 0xb5, 0x56, 0xb2, 0x7a, 0x3b, 0x54, 0x30,
+  0x53, 0x1b, 0xdf, 0x62, 0x34, 0xff, 0x1e, 0xd1, 0xf4, 0x5a, 0x93, 0x28,
+  0x85, 0xe5, 0x4c, 0x17, 0x4e, 0x7e, 0x5b, 0xfd, 0xa4, 0x93, 0x99, 0x7f,
+  0xdf, 0xcd, 0xef, 0xa4, 0x75, 0xef, 0xef, 0x15, 0xf6, 0x47, 0xe7, 0xf8,
+  0x19, 0x72, 0xd8, 0x2e, 0x34, 0x1a, 0xa6, 0xb4, 0xa7, 0x4c, 0x7e, 0xbd,
+  0xbb, 0x4f, 0x0c, 0x3d, 0x57, 0xf1, 0x30, 0xd6, 0xa6, 0x36, 0x8e, 0xd6,
+  0x80, 0x76, 0xd7, 0x19, 0x2e, 0xa5, 0xcd, 0x7e, 0x34, 0x2d, 0x89, 0x02,
+  0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xd6, 0x30, 0x82, 0x01, 0xd2,
+  0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08,
+  0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x70, 0x06, 0x03,
+  0x55, 0x1d, 0x20, 0x04, 0x69, 0x30, 0x67, 0x30, 0x65, 0x06, 0x0b, 0x60,
+  0x86, 0x48, 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x17, 0x03, 0x30, 0x56,
+  0x30, 0x28, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01,
+  0x16, 0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77,
+  0x77, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63,
+  0x6f, 0x6d, 0x2f, 0x63, 0x70, 0x73, 0x30, 0x2a, 0x06, 0x08, 0x2b, 0x06,
+  0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x1e, 0x1a, 0x1c, 0x68, 0x74,
+  0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65,
+  0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72,
+  0x70, 0x61, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff,
+  0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x6d, 0x06, 0x08, 0x2b, 0x06,
+  0x01, 0x05, 0x05, 0x07, 0x01, 0x0c, 0x04, 0x61, 0x30, 0x5f, 0xa1, 0x5d,
+  0xa0, 0x5b, 0x30, 0x59, 0x30, 0x57, 0x30, 0x55, 0x16, 0x09, 0x69, 0x6d,
+  0x61, 0x67, 0x65, 0x2f, 0x67, 0x69, 0x66, 0x30, 0x21, 0x30, 0x1f, 0x30,
+  0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x8f, 0xe5,
+  0xd3, 0x1a, 0x86, 0xac, 0x8d, 0x8e, 0x6b, 0xc3, 0xcf, 0x80, 0x6a, 0xd4,
+  0x48, 0x18, 0x2c, 0x7b, 0x19, 0x2e, 0x30, 0x25, 0x16, 0x23, 0x68, 0x74,
+  0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6c, 0x6f, 0x67, 0x6f, 0x2e, 0x76, 0x65,
+  0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x76,
+  0x73, 0x6c, 0x6f, 0x67, 0x6f, 0x2e, 0x67, 0x69, 0x66, 0x30, 0x34, 0x06,
+  0x03, 0x55, 0x1d, 0x1f, 0x04, 0x2d, 0x30, 0x2b, 0x30, 0x29, 0xa0, 0x27,
+  0xa0, 0x25, 0x86, 0x23, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
+  0x72, 0x6c, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e,
+  0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x63, 0x61, 0x33, 0x2d, 0x67, 0x35, 0x2e,
+  0x63, 0x72, 0x6c, 0x30, 0x28, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x21,
+  0x30, 0x1f, 0xa4, 0x1d, 0x30, 0x1b, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03,
+  0x55, 0x04, 0x03, 0x13, 0x10, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67,
+  0x6e, 0x4d, 0x50, 0x4b, 0x49, 0x2d, 0x32, 0x2d, 0x38, 0x30, 0x1d, 0x06,
+  0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xcf, 0x99, 0xa9, 0xea,
+  0x7b, 0x26, 0xf4, 0x4b, 0xc9, 0x8e, 0x8f, 0xd7, 0xf0, 0x05, 0x26, 0xef,
+  0xe3, 0xd2, 0xa7, 0x9d, 0x30, 0x2b, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04,
+  0x24, 0x30, 0x22, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03,
+  0x02, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03, 0x06,
+  0x0c, 0x2a, 0x86, 0x3a, 0x00, 0x01, 0x83, 0x8f, 0x89, 0x0d, 0x01, 0x01,
+  0x01, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
+  0x80, 0x14, 0x7f, 0xd3, 0x65, 0xa7, 0xc2, 0xdd, 0xec, 0xbb, 0xf0, 0x30,
+  0x09, 0xf3, 0x43, 0x39, 0xfa, 0x02, 0xaf, 0x33, 0x31, 0x33, 0x30, 0x0d,
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
+  0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x5b, 0x8e, 0x9f, 0xd3, 0xba, 0xbe,
+  0xa9, 0xaf, 0x1a, 0x3e, 0x65, 0x81, 0xb7, 0xc1, 0x64, 0xf6, 0xa2, 0x78,
+  0xeb, 0x4c, 0x80, 0x06, 0x3a, 0xac, 0x22, 0x6e, 0x8c, 0x2b, 0xbc, 0x5d,
+  0x85, 0x7f, 0xc0, 0x8f, 0x10, 0x2a, 0xca, 0xc4, 0xad, 0x96, 0x24, 0x01,
+  0x68, 0xff, 0x65, 0xb5, 0xd1, 0x14, 0x2c, 0x2a, 0xa5, 0xda, 0x49, 0x96,
+  0xaf, 0xe9, 0xd4, 0xff, 0x71, 0x9c, 0x93, 0x09, 0x4a, 0x6a, 0x61, 0xf4,
+  0x4b, 0xd1, 0xcb, 0xb6, 0x5f, 0x29, 0xfc, 0x68, 0x11, 0xe5, 0x72, 0xff,
+  0x46, 0x0f, 0x36, 0x29, 0x99, 0x43, 0x9e, 0xb3, 0xd9, 0xac, 0x47, 0x93,
+  0x7b, 0xef, 0xc4, 0xeb, 0x66, 0x86, 0xa7, 0xd6, 0x89, 0x54, 0x3e, 0x94,
+  0x9b, 0x0d, 0x91, 0xf0, 0xd2, 0x23, 0x6a, 0xc0, 0x0d, 0x37, 0xce, 0x46,
+  0xdf, 0x95, 0xae, 0xa4, 0x65, 0xc6, 0x18, 0xbf, 0xa4, 0x69, 0x73, 0x3f,
+  0xe8, 0x85, 0xd0, 0x48, 0x7d, 0x28, 0xef, 0xf3, 0x5f, 0xb0, 0x01, 0xb4,
+  0x75, 0xb4, 0xd1, 0x53, 0x4b, 0xf4, 0x6f, 0xf6, 0xa4, 0x8b, 0x66, 0xb6,
+  0xef, 0x78, 0x39, 0xc5, 0x88, 0x2b, 0x67, 0x32, 0x1a, 0xef, 0x40, 0xc0,
+  0x94, 0xf6, 0xb7, 0xd2, 0x8b, 0x84, 0xa0, 0x26, 0x6f, 0x8a, 0x4b, 0xc5,
+  0xd8, 0xdc, 0x54, 0xee, 0xe2, 0x4a, 0x56, 0xaa, 0xbc, 0x72, 0xe5, 0x93,
+  0xe6, 0x3f, 0xb6, 0xde, 0x6d, 0x6c, 0x7b, 0x25, 0x5b, 0x01, 0xec, 0x6f,
+  0x29, 0x64, 0xb7, 0xf3, 0x2e, 0x23, 0xf6, 0x1f, 0xae, 0x11, 0x2d, 0xc6,
+  0xba, 0xb9, 0xeb, 0x08, 0x60, 0xb1, 0x2d, 0x1b, 0x2b, 0x9e, 0xbe, 0x85,
+  0x74, 0x0a, 0x1d, 0x2e, 0x2a, 0x52, 0x91, 0x18, 0x20, 0xd7, 0xc9, 0xb2,
+  0x97, 0x84, 0x8f, 0x16, 0x2c, 0x32, 0xca, 0x18, 0x12, 0xaa, 0xc5, 0x20,
+  0x59, 0xca, 0xfb, 0x6d, 0x37, 0x32, 0xe3, 0xc5, 0xa3, 0x84
+};
+unsigned int _ca_der_len = 1510;
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	gnutls_datum_t raw;
+	gnutls_datum_t ca;
+	gnutls_x509_crt_t crt, ca_crt;
+	int ret;
+	unsigned status;
+
+	raw.data = (unsigned char *)data;
+	raw.size = size;
+
+	ca.data = _ca_der;
+	ca.size = _ca_der_len;
+
+	ret = gnutls_x509_crt_init(&ca_crt);
+	assert(ret >= 0);
+
+	ret = gnutls_x509_crt_init(&crt);
+	assert(ret >= 0);
+
+	ret = gnutls_x509_crt_import(ca_crt, &ca, GNUTLS_X509_FMT_DER);
+	if (ret < 0)
+		goto fail;
+
+	ret = gnutls_x509_crt_import(crt, &raw, GNUTLS_X509_FMT_DER);
+	if (ret < 0)
+		goto fail;
+
+	ret = gnutls_x509_crt_list_verify(&crt, 1, &ca_crt, 1, NULL, 0,
+					  GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN|GNUTLS_VERIFY_ALLOW_BROKEN|
+					  GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS,
+					  &status);
+	assert(ret >= 0 || status != 0);
+
+ fail:
+	gnutls_x509_crt_deinit(crt);
+	gnutls_x509_crt_deinit(ca_crt);
+	return 0;
+}
diff --git a/fuzz/gnutls_x509_verify_fuzzer.in/005eb5cbad48e22a4b0c36cd97f1c0225f3eed7f b/fuzz/gnutls_x509_verify_fuzzer.in/005eb5cbad48e22a4b0c36cd97f1c0225f3eed7f
new file mode 100644
index 0000000000..246a9aa565
--- /dev/null
+++ b/fuzz/gnutls_x509_verify_fuzzer.in/005eb5cbad48e22a4b0c36cd97f1c0225f3eed7f
@@ -0,0 +1 @@
+0„
\ No newline at end of file
diff --git a/fuzz/gnutls_x509_verify_fuzzer.in/c2632449b011340199af11389c073d2d380b2e1e b/fuzz/gnutls_x509_verify_fuzzer.in/c2632449b011340199af11389c073d2d380b2e1e
new file mode 100644
index 0000000000..ba9f7c073d
--- /dev/null
+++ b/fuzz/gnutls_x509_verify_fuzzer.in/c2632449b011340199af11389c073d2d380b2e1e
diff --git a/fuzz/gnutls_x509_verify_fuzzer.repro/cacdb69aaf394120d761291f43983336d15c7be3 b/fuzz/gnutls_x509_verify_fuzzer.repro/cacdb69aaf394120d761291f43983336d15c7be3
new file mode 100644
index 0000000000..bad7160bae
--- /dev/null
+++ b/fuzz/gnutls_x509_verify_fuzzer.repro/cacdb69aaf394120d761291f43983336d15c7be3
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index a608a24a3c..0d13aeaa75 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -65,7 +65,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/openssl-keyid.p7b data/openssl-keyid.p7b.out data/openssl.p12 \
 	data/x509-v1-with-sid.pem data/x509-v1-with-iid.pem data/x509-v3-with-fractional-time.pem \
 	templates/template-long-dns.tmpl templates/template-long-serial.tmpl \
-	data/key-rsa-pss-raw.pem data/key-rsa-pss.pem \
+	data/key-rsa-pss-raw.pem data/key-rsa-pss.pem data/cve-2019-3829.pem \
 	data/long-dns.pem data/template-long-dns-crq.pem data/chain-with-critical-on-root.pem \
 	data/chain-with-critical-on-intermediate.pem data/chain-with-critical-on-endcert.pem \
 	templates/crit-extensions.tmpl data/crit-extensions.pem data/x509-with-zero-version.pem \
diff --git a/tests/cert-tests/data/cve-2019-3829.pem b/tests/cert-tests/data/cve-2019-3829.pem
new file mode 100644
index 0000000000..c771843ea7
--- /dev/null
+++ b/tests/cert-tests/data/cve-2019-3829.pem
@@ -0,0 +1,66 @@
+-----BEGIN CERTIFICATE-----
+MIIFbjCCBFagAwIBAgIQPBKFvactgik351RXZ5opvTANBgkqhkiG9w0BAQUFADCB
+tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
+YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
+VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMjA4MTcw
+MDAwMDBaFw0xNTA5MDkyMzU5NTlaMIGxMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
+Q2FsaWZvcm5pYTETMBEGA1UEBxMKTWVubG8gUGFyazEbMBkGA1UEChQSUk9CTE9Y
+IENvcnBvcmF0aW9uMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNy
+b3NvZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEbMBkGA1UEAxQSUk9CTE9YIENv
+cnBvcmF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9Vg9Z0ee
+4Tg3pwyw9CcQCINfJEWLhhvrB88pcnyMKxbB7v3qwwfi9VhL0fRM/AusgONWrQuW
+2gftlw9ZtQMAWRkLvPHM3hXz5ch1XpvTmNqPQrSGfn9te7T9018ORa+WVuUCKzhL
+xMSxG+VEpSRZsSdhq/chwA3fqhdUdq7fdxo6H3v/RV8bDUz1vRow+ygtAMneh8/x
+kvnnyGZrW7BzJH6odOq4ASbx08czrKzqxnnoiFDmPuBTjv5wCLz0yHboHRQ/aC25
+GKXNioEVAGY/nWxVetFgJG8SwiIBR9C4KHaUqLHpPDU40WW7jGvybDaEGWXBQfTr
+e1Dj/B3JY6SGhwIDAQABo4IBezCCAXcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMC
+B4AwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NzYzMtMjAxMC1jcmwudmVyaXNp
+Z24uY29tL0NTQzMtMjAxMC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAq
+MCgGCCsGAQUFBwIBFhybdHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1Ud
+JQQMMAoGCCsGAQUFBwMDMHEGCCsGAQVLBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0
+cDovL29jc3AudmVyaXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY3NjMy0y
+MDEwLWFpYS52ZXJpc2lnbnhjb20vQ1NDMy0yMDEwLmNlcjAfBgNVHSMEGDAWgFBt
+48zqeyb0S8mOj9fwBSbv49KnnTARBglgIEgBhvhCAQEEBAMCBBAwFgYKKwYBBAGC
+NwIBGwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBeCwxl3jzuZqItKl531TN
+TCCx3yoOfpZnGd7acfLyfeX8xDy7wakiOyC1nxv1FL7+H//Mku+F3Ne/A0HmnHx0
+sD9F1fYxweF8ubSoRqwUCXSMB4YZuwRAfUILon6YvyHU1kgPYwr0bsYu28l0liQY
+YC7ALFbwO2ecxOYgg38mho+XRRXPd/PtOfmZ23yeKvrD0Hm499jC1OloFX+8G4ly
+mz9Y8aoDBzkEYcXWn3Rz1p6EQJnWJzI/jSxMKIuI2/Ge+oIFZpEGK3Hec3sYqLs4
+EUOfWI4bNm1W+eU0E2bwuWmjddgTdOWHaYm7jMlCzkZw9qg2/IE2fTu7P7UuNOvw
+av0=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF4jCCBMqgAwIBAgIQJ1P4Bv6RNzIvW0CfHDGHXDANBgkqhkiG9w0BAQUFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtDEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
+ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
+aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVy
+aVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZr
+ENd1gTB/BGh/yyt1Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzin
+jGOdF6MIpauw+81qYoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkF
+vBtInGnnwKQ8PEEAPt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W
++uWHd8a1VrJ6O1QwUxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4
+GXLYLjQaprSnTH69u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAdYwggHS
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBW
+MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsG
+AQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/
+BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8w
+BwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZl
+cmlzaWduLmNvbS92c2xvZ28uZ2lmMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9j
+cmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMCgGA1UdEQQhMB+kHTAbMRkwFwYD
+VQQDExBWZXJpU2lnbk1QS0ktMi04MB0GA1UdDgQWBBTPmanqeyb0S8mOj9fwBSbv
+49KnnTArBgNVHSUEJDAiBggrBgEFBQcDAgYIKwYBBQUHAwMGDCqGOgABg4+JDQEB
+ATAfBgNVHSMEGDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzANBgkqhkiG9w0BAQUF
+AAOCAQEAW46f07q+qa8aPmWBt8Fk9qJ460yABjqsIm6MK7xdhX/AjxAqysStliQB
+aP9ltdEULCql2kmWr+nU/3GckwlKamH0S9HLtl8p/GgR5XL/Rg82KZlDnrPZrEeT
+e+/E62aGp9aJVD6Umw2R8NIjasANN85G35WupGXGGL+kaXM/6IXQSH0o7/NfsAG0
+dbTRU0v0b/aki2a273g5xYgrZzIa70DAlPa30ouEoCZvikvF2NxU7uJKVqq8cuWT
+5j+23m1seyVbAexvKWS38y4j9h+uES3GurnrCGCxLRsrnr6FdAodLipSkRgg18my
+l4SPFiwyyhgSqsUgWcr7bTcy48WjhA==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig
index bc2774e1f5..bcebf995cb 100755
--- a/tests/cert-tests/invalid-sig
+++ b/tests/cert-tests/invalid-sig
@@ -29,6 +29,10 @@ if ! test -z "${VALGRIND}"; then
 	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
 fi
 
+if ! test -x "${CERTTOOL}"; then
+	exit 77
+fi
+
 #check whether a different PKCS #1 signature than the advertized in certificate is tolerated
 ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig.pem"
 rc=$?
@@ -75,7 +79,17 @@ rc=$?
 
 # We're done.
 if test "${rc}" = "0"; then
-	echo "Verification of invalid signature (4) failed"
+	echo "Verification of invalid signature (5) failed"
+	exit ${rc}
+fi
+
+#this was causing a double free; verify that we receive the expected error code
+${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
+rc=$?
+
+# We're done.
+if test "${rc}" != "1"; then
+	echo "Verification of invalid signature (6) failed"
 	exit ${rc}
 fi